What is the Galil.F worm?

Galil.F is a mass-mailing worm that uses its own SMTP engine or Microsoft Outlook to spread. It harvests email addresses from the files in the current user's Temporary Internet Files folder, Yahoo Messenger, Microsoft Outlook address book, as well as the files whose extensions are .asf, .avi, .doc, .jpg, .mdb, .mpe, .mpeg, .mpg, .pps, .ram, .rar, or .xls.

The worm may spoof the "From" field. The email message has a randomly selected subject line, which may also be the attachment name. The attachment has a .bhx, .exe, .hqx, .mim, .uu , .uue, or .xxe extension.

It is written in the Microsoft Visual Basic (VB) programming language and is compressed with UPX.

Also known as: W32.Galil.F@mm, W32/Holar-G, W32/Holar.gen@MM

How Does Galil.FInfect My System?

When Galil.F runs, it does the following:

1. Displays a fake message:
   
   
   
   
    
2. May create a folder, %Windir%\Sys32s, and copy itself as %Windir%\Sys32s\ZaCker.exe with attributes set to Read-only, Hidden, and System.



3. Copies itself as %System%\MizZabbat32.exe.
    
4. May create the following files:
    
   • %System%\Syschk.exe: (With attributes may set to Read-only, Hidden, and System. This is the worm's propagation component.) 29,183 bytes
   • %System%\Smtp.Ocx: (An SMTP library. This file is not viral by itself.) 25,736 bytes
   • %System%\Runhelp.cab: (Which contains a file runhelp.inf. This file is not viral by itself.) 6,323 bytes
   • %Windir%\Sys32s\Runhelp.cab: (With attributes set to Read-only, Hidden, and System.) 6,323 bytes
   • %Windir%\Web\Folder.htt: (With attributes is set to Hidden and Archive.) 15,483 bytes
     
      
5. May add a value:
   
   "SystemChecker"="%System%\Syschk.exe"
   
   to the registry key:
   
   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrenVersion\Run
   
   so that the worm's propagation component runs when you start Windows.
   
    
6. May add a value:
   
   "Cya"
   
   to the registry key:
   
   HKEY_CURRENT_USER
   
    
7. Retrieves email addresses from the files in the current user's Temporary Internet Files folder, Yahoo Messenger, Microsoft Outlook address book, and files whose extensions are .asf, .avi, .doc, .jpg, .mdb, .mpe, .mpeg, .mpg, .pps, .ram, .rar, or .xls.
   
    
8. Uses its own SMTP engine or Outlook to send itself to all the email addresses it finds.
   
   The worm may spoof the From: field. The email message has a randomly selected subject line, which may also be the attachment name. The attachment has a .bhx, .exe, .hqx, .mim, .uu , .uue, or .xxe, extension. The message body is one of the following:
    
   • <blank>
   • hey
     Check this out ;)
   • Hey
     I thought you trusted me but ...
     i haven't ever thought i should send u my briefcase to gain ur Trust .
     Have it all :) bye
   • Hey Wussap?
     Here is the Emmy ;) Dont tell Sam abt it
     Cya
   • Another one?
   • Heyyyy
   • I lost the other email , anyway i sent u all u need
     Cya
   • Hey
     i have just got it , plz tell me if u need more.
     bye
   • ......

How to Remove the Galil.F worm?

1. Disabling System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles: How to Disable System Restore in Windows ME or Windows XP.

2. Updating the virus definitions

If you do not know which anti-virus software can provide strong protection for you, Kaspersky Internet Security is recommended.

3. Scanning for and deleting the infected files

1. Start your Kaspersky Internet Security and make sure that it is configured to scan all the files.
2. Run a full system scan.
3. If any files are detected as infected with Galil.F, click Delete.

4. Deleting the value from the registry

1. Click Start, and then click Run. (The Run dialog box appears.)



2. Type regedit
   
   Then click OK. (The Registry Editor opens.)
   
    
3. Navigate to the key:
   
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   
    
4. In the right pane, delete the value:
   
   "SystemChecker"="%System%\Syschk.exe"
   
    
5. Navigate to the key:
   
   HKEY_CURRENT_USER
   
    
6. In the right pane, delete the value
   
   "Cya"
   
    
7. Exit the Registry Editor.

How to Disinfect My Computer from Worms?

In order to keep your computer protected, bear the following tips in mind:

1. If you have filtering tools installed, configure them to reject messages with the characteristics described above. If, in spite of doing this, you receive the message that contains the virus: do not open it, do not run the attached file and delete it, making sure that you also delete it from the Deleted Items folder.
2. Install a good antivirus in your computer. Select Kaspersky Internet Security to get the Kaspersky antivirus solution that best suits your needs.
3. Keep your antivirus updated. If automatic updates are available, configure your antivirus to use them.
4. Keep your permanent antivirus protection enabled at all times.

Detect and Removal Instruction for Other Worms - 'G':